This week’s conversation in the CISO Twitterverse showcases a few approaches that are literally outside-of-the-box, and by “box” I mean the network perimeter. Cloud adoption has forced a paradigm shift in the security landscape. As systems of record move off-premises, companies must find ways to extend security capabilities beyond their physical walls. Additionally, enterprises are increasingly concerned that their network perimeter is not foolproof and that Shadow IT has become a primary exfiltration path for compromised data. Let’s take a look at the alternatives to the traditional perimeter security model.
Dmitri Alperovitch, CTO at CrowdStrike, explains the shortcomings of focusing on the perimeter, pointing out that current slow detection times for breaches are a central concern for enterprise security. Leveraging multiple vectors of behavioral risk, including role and behavior across applications, can help in timely detection of suspicious activity.
The cloud often gets a bad rap from a security perspective, but Latha Maripuri, CISO at NewsCorp debunks this myth with an article on why cloud is just as, if not more, secure than on-premises servers. As an example, recent breaches at Anthem, JP Morgan, Sony, and Target all involved datacenters, not cloud services. Cloud service providers actually have much more at stake from a security standpoint since a breach could completely destroy confidence in their product and put the company out of business. They also have more resources to dedicate to security. At the same time, companies are responsible for ensuring employees use these services in secure ways and for securing cloud-based system of records.
With the overwhelming variety of threats being thrown at security teams, executives have called for instilling an organizational culture of security. Nikk Gilbert, former US Department of Defense CISO, shared an article on an essential component in a security-aware organization: user education. Especially given the prevalence of compromised credentials through phishing scams, security training can be one of the most effective and low cost initiatives to add on to typical security tools.
Dan Lohrmann, former State of Michigan CSO, raised another common misconception: that checking boxes to achieve compliance ensures an organization is secure. In the article he shares highlights the case of Premera, which was breached shortly after auditors declared the organization HIPAA compliant.
Then there’s the response when all else fails: cyber-insurance. Ben Beeson of Lockton Companies shared a post which states that financial institutions are scrambling to purchase insurance against cyber attacks. This comes as part of a larger trend in which information security risk is becoming one of the top priorities when it comes to corporate risk mitigation, especially from the board of directors’ perspective. For those attending RSA, look for this theme to play a prominent role and catch one of the sessions on the board’s role in cyber-security.